Beta version of modSecurity for Nginx
ModSecurity is a popular free open source Web Application Firewall (WAF). For a long time existed only as a module to the Apache web server.
Later, realizing that the world is changing, the developers made a so-called. standalone implementation that can be embedded in any application. And although the library is still in deep beta and is entirely tied to APR , a version of modSecurity for IIS appeared some time ago.
Now the frontend backend scheme has become the de facto standard, and it is logical to transfer the external security functionality of the application to the frontend, which led to the need to launch ModSecurity under perhaps the best web server today with reverse proxy functionality - Nginx .
The architecture of Nginx is such that modules are connected at the time of compilation, and the call to handlers can occur at different phases of request processing. At the moment, the module implements the processing of GET and POST requests, including requests with a large body size (as opposed to naxsi ), which required the installation of its own location handler.
Because of this, the module wiring diagram looks like this:
Without modSecurity:
With modSecurity enabled:
')
What is implemented in the current version:
What is not implemented:
The module is available in svn , reviews, recommendations, bug reports and patches are very welcome.
Thanks to Igor Sysoev and Valery Kholodkov , the authors of the web server and add-ons whose source code is used in the module.
Later, realizing that the world is changing, the developers made a so-called. standalone implementation that can be embedded in any application. And although the library is still in deep beta and is entirely tied to APR , a version of modSecurity for IIS appeared some time ago.
Now the frontend backend scheme has become the de facto standard, and it is logical to transfer the external security functionality of the application to the frontend, which led to the need to launch ModSecurity under perhaps the best web server today with reverse proxy functionality - Nginx .
The architecture of Nginx is such that modules are connected at the time of compilation, and the call to handlers can occur at different phases of request processing. At the moment, the module implements the processing of GET and POST requests, including requests with a large body size (as opposed to naxsi ), which required the installation of its own location handler.
Because of this, the module wiring diagram looks like this:
Without modSecurity:
location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_redirect off; proxy_pass http://localhost:8080; } With modSecurity enabled:
location / { // , off location ModSecurityPass ModSecurityEnabled on; // mod_security, , nginx.conf ModSecurityConfig modsecurity.conf; //named location, , ModSecurityPass @backend; } location @backend { // proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_redirect off; proxy_pass http://localhost:8080; } ')
What is implemented in the current version:
- Processing GET and POST requests (including chunked)
- Blocking requests
What is not implemented:
- Processing responses
- "Protection against a fool"
The module is available in svn , reviews, recommendations, bug reports and patches are very welcome.
Thanks to Igor Sysoev and Valery Kholodkov , the authors of the web server and add-ons whose source code is used in the module.
Source: https://habr.com/ru/post/152251/
All Articles